Many big companies are still vulnerable to the biggest computer bug ever discovered, report says

Business Insider
The computer bug Heartbleed was discovered one year ago, but many companies and individuals are still seeing its effects, according to a new report released on Tuesday by security firm Venafi (via Fortune).

This meant that servers storing critical content like passwords, usernames, and other sensitive data were accessible to hackers who picked up on the vulnerability.

Companies have had the last 12 months to completely fix the bug, but most have not, as Venafi discovered in its audit of 2000 Forbes Global companies affected by Heartbleed.

"3 out of 4 Global 2000 with public-facing systems vulnerable to Heartbleed are still open to breach," the report said. This means only 416 companies have fully defended themselves against the havoc Heartbleed could wreak.

It's taking companies such a long time to react because the vulnerability is so fundamental that merely patching the problem wouldn't do the trick. Security experts said at the time of Heartbleed's discovery that a complete overhaul would be necessary to fix the problem. Beyond patches, all keys and certificates would need to be revoked, then replaced.

Most companies have not done this.

"Venafi has identified 580,000 hosts belonging to Global organizations that have not been completely remediated," writes the report.

This means that although companies may have patched the problem (in fact, every company has), they haven't performed the second and third steps of revoking and replacing all of the necessary keys. These two tasks are necessary to fend off future attacks.

"Failure to revoke the old certificate enables the attacker to use the old certificate in phasing campaigns against the organization and its customers," Venafi explains.

In short, unless all bases are covered, attackers can still attack these companies and gain access to this private data.